CISA, NSA guidance tries to reduce alternatives to secure industrial control systems
Federal agencies have issued guidance that they hope will help streamline and ease the decision-making process for owners of critical infrastructure to begin protecting industrial control systems from an increasing likelihood of cyberattacks.
“The variety of security solutions available can also be intimidating and lead to paralysis of choice,” said a guide released Thursday by the Cybersecurity and Infrastructure Security Agency along with the National Security Agency. “Amidst so many options, owner/operators may not be able to incorporate simple security and management strategies that could mitigate many of the common and realistic threats. Fortunately, owner/operators can employ some straightforward ICS security best practices to counter the adversary [Tactics Techniques and Procedures].”
The guide notes the emergence of novel malware targeting specific programmable logic controllers and Open Platform Communications Unified Architecture. It warns of robust reconnaissance by adversaries who could use these and other tools to wreak wide-ranging physical and psychological consequences on society.
“They could open or close circuit breakers, throttle valves, overfill tanks, overspeed turbines, or place equipment in unsafe operating conditions,” the authorities wrote of malicious cyber actors. “Furthermore, cyber actors could manipulate the control environment, obscuring operator awareness and impeding recovery by locking interfaces and adjusting monitors to show normal conditions. Actors can even suspend the alarm function, allowing the system to operate in unsafe conditions without alerting the operator.”
CISA is expected to soon release performance targets for critical infrastructure containing industrial control systems. Achievement of the goals is voluntary according to the national security memo requesting CISA to produce them. However, trade associations for some of the economy’s biggest companies are skeptical about how it could be used in potential regulations. In a Sept. 16 letter to Senate leaders responsible for drafting the National Defense Authorization Act, they argue that companies should be allowed to voluntarily implement security controls “based on their own risk assessment.”
The NSA and CISA guidance emphasized that owners and operators must be aware of all devices in their systems and pay particular attention to those that can be accessed remotely, including device vendors. NSA and CISA note that vendors sometimes “require remote access for warranty compliance, service commitments, and financial/billing functions.”
“Establish a firewall and demilitarized zone (DMZ) between the control system and the vendor access points and devices,” they write at the top of their list of recommended mitigation measures. “Do not allow direct access to the system; Use an intermediary service to share only necessary data and only when needed.”
CISA included a related measure in a list of “common baseline” controls proposed to serve as the performance targets that the national security memo asked the agency to establish.
“All owners/operators should implement segmentation between [information technology] and [operational technology] Networks to prevent initial access by threat actors,” reads a draft of CISA’s Common Baseline Controls, referenced by trade associations opposing the proposal. “Organizations should ensure that devices on either side of segmentation lines/security zones are not allowed to connect to the other side with minimal exceptions and only through a properly configured firewall or comparable alternative.”
Comments were prepared by CTIA – The Wireless Association, NCTA – The Internet and Television Association and USTelecom – The Broadband Association.
“This design control is overly prescriptive and oversimplifies segmentation tradeoffs for different networks,” the associations wrote, noting a lack of flexibility to allow for alternative approaches. “Segmentation can be costly and impede access to business or mission-critical applications. Too rigid an expectation of standard segmentation would deprive organizations of the ability to manage their systems and networks. Accordingly, CISA should at least remove language such as “must”.”
CISA is expected to release final performance targets sometime in October to mark Cybersecurity Awareness Month.